Wednesday, December 14, 2016

With the release of Microsoft Outlook 2016, it is now no longer possible to manually add an Exchange account. Exchange accounts can only be added to Outlook 2016 using Autodiscover. If Autodiscover records aren't published, your administrator will need to publish them so Outlook can find the account.

In Outlook 2010 and 2013, users were able to manually add Exchange accounts to the Outlook client by selecting "Manual Setup".

Make sure you add the Autodiscover record to your public DNS or alternatively modify the hosts file with an Autodiscover record so the Outlook client can resolve the correct Exchange communication settings.

It is disappointing that you cannot select what method you wish to connect in Outlook 2016 when attempting to perform a manual setup.

Friday, December 9, 2016

I have a customer who has 3 forests all running Exchange 2003 on Windows Server 2003... yes in the year 2016 (almost 2017). Before moving to Exchange 2010 --> 2016 we are required to consolidate with some cross-forest migrations.

I need to test some things in my lab before performing this migration in production so I built some 2003 servers... been ages!

After running the installation I had issues patching the servers and I found no information online around Error Number: 0x80072EFF - surprising as it seems like such a common error (is there really no one out there installing Server 2003 now?)

When clicking start and selecting Windows Update, this is the error I received.

After playing around for a good 15 minutes googling this error, I decided to upgrade Internet Explorer to version 8 (the highest supported on 2003 server). This is downloaded from the following website for 32bit.

Monday, October 31, 2016

A customer of mine running Exchange 2010 SP3 after a UPS had issues with Exchange loosing trust to the Active Directory domain. This renders Microsoft Exchange unusable as all important Exchange configuration is stored within Active Directory.

Computer accounts like user accounts also have passwords. These change every 30 days by default by Active Directory and member servers and workstations are automatically updated with the new password. In the event the workstation or member server is not updated with the latest computer password; the trust fails and the machine displays the error “The trust relationship between the workstation and the primary domain failed” as shown in the screenshot below:

As a general fix for this issue, the PC is simply needs to be rejoined to the domain which works for most member servers and workstations.

Exchange however stores all its config in Active Directory and cannot be removed from a domain.

In the event you experience your Exchange Server loosing trust to Active Directory, you can re-establish trust using the following command on the Exchange Server after logging in with the local administrator account:

A customer of mine had an issue with a Direct Access Server not displaying connection statistics. My clients are connecting to the server without issues using IPHTTPS but we have no visibility to who is connected and for how long.

All connections and total bytes display 0 in both PowerShell and "Remote Access Management Console".

Also on the Remote Client Status page, no active clients are displayed.

This issue occurs when Windows Firewall is disabled on a Direct Access server.

Re-enable Windows Firewall and reboot the server. After rebooting the server, wait 24 hours and you will notice statistics will start generating again.

Thursday, October 13, 2016

A customer had an issue with Microsoft Exchange 2013 search not working. Users received an error "Your search didn't return any results" in Outlook Web App.

This following error was generated in the Application Logs on the server.

Log Name: ApplicationSource: MSExchangeFastSearchDate: 14/10/2016 1:10:14 PMEvent ID: 1006Task Category: GeneralLevel: WarningKeywords: ClassicUser: N/AComputer: Exchange.domain.localDescription:The FastFeeder component received a connection exception from FAST. Error details: System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:3847/. The connection attempt lasted for a time span of 00:00:02.0469288. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:3847. ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:3847 at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult) at System.ServiceModel.Channels.SocketConnectionInitiator.ConnectAsyncResult.OnConnect(IAsyncResult result) --- End of inner exception stack trace ---

This issue occurs when the "Microsoft Exchange Search Host Controller" service is in a stopped state. My customer installed the latest Cumulative Update for Exchange 2013 and after the installation finished, the Search Host Controller was not set back to an Automatic.

Monday, September 26, 2016

I needed to access a Cisco UCS Blade enclosure at one of my customers after a major ESX failure. When attempting to access the KVM over the Java applicate for the Cisco UCSB-B200-M3 blade servers, I received the following error:

The viewer has terminated.Reason: The network connection has been dropped.

After troubleshooting the issue for a while, I decided to downgrade my version of Java to an older build. I tried the following build of Java in a Virtual Machine:

Java SE Runtime Environment 7u79

Success!

There is an issue with the latest Java build and the Cisco UCS KVM application.

Sunday, September 18, 2016

When migrating from Exchange 2013 to Exchange 2016, I encountered an error 0x80190194 when downloading the Offline Address Book on workstations.

0x80190194 The Operation Failed

0x80190194 is a very common error when downloading the OAB and there are many server side problems which can generate this error.

Exchange 2013 by default had the servers responsible for the Offline Address Book hard coded as a Virtual Directory as shown below.

In Exchange 2016, by default we no longer want to hard code the Virtual Directories and instead enable GlobalWebDistribution which allows the Autodiscover service to automatically select the best Virtual Directory for the distribution request.

To set this up, we want to ensure the VirtualDirectories attribute for each Offline Address Book is set to $null. We also want to ensure GlobalWebDistribution is enabled so that Autodiscover can take care of it.

Monday, September 12, 2016

This issue may be encountered when migrating to Exchange 2016 from Exchange 2013 when MAPI over HTTPS is enabled. The default Exchange 2013 MAPI over HTTPS authentication settings set IIS and Internal Authentication methods as Negotiate and External as null. This is shown below:

The Default Exchange 2016 MAPI over HTTPS authentication settings are configured as "Ntlm, OAuth and Negotiate"

Proxying MAPI over HTTPS connections between Exchange 2016 and Exchange 2013 requires NTLM be enabled. The default Exchange 2013 MAPI over HTTPS authentication settings will cause Outlook connectivity issues when both Exchange 2016 and Exchange 2013 are in the same Active Directory site.

The error which is generated by the Exchange Remote Connectivity Analyzer in this configuration is as follows:

Saturday, August 27, 2016

Because Exchange Server runs most of its configuration at an "Organisation Level" adding new Exchange Servers to an existing Exchange Environment can be a difficult challenge to ensure users get a seamless experience. When adding new Exchange Servers to an organisation (such as Exchange 2016) in an existing Exchange 2013 organisation, the new Exchange 2016 server will immediately start advertising its SCP Autodiscover record and other internalURLs such as the MapiVirtualDirectory.

Whilst this does not cause direct issues to Exchange Resources, it will present certificate warnings on Outlook clients as the default Self Signed certificate will not be trusted on the Outlook clients.

Outlook Clients (if they are in the same Active Directory site) as the Autodiscover Site Scope will immediately start picking up the new Exchange server and communicating with it - hence generating certificate warnings such as the one below.

As an Exchange Administrator, your first task after building the new server is to immediately install a valid trusted certificate on your new Exchange server and update the Autodiscover SCP record on the new ClientAccessService with the Set-ClientAccessService cmdlet. It is then very important to update all other URLs such as the MapiVirtualDirectory, Outlook Anywhere etc.

Changing the values for your new Exchange 2013/2016 servers however will not stop the certificate warnings from being displayed to users right away however. Even though you update your Records, Outlook clients will continue receiving the old records for some time as shown in the screenshot below.

This occurs as when the Exchange 2016 server is first built, your Exchange 2013 servers will cache in the IIS AppPool these original records. Your Exchange 2013 servers will continue to return via Autodiscover the record of the Exchange 2016 FQDN that does not match the name on the digital certificate.

To force your Exchange 2013 servers to start forcing the correct name immediately, an iisreset is required on all Exchange 2013 servers in the same Active Directory site as the new Exchange 2016 server. This will cause a slight disruption for users.

See the issue?

As soon as your new Exchange 2016 server is installed, users will begin getting certificate warnings.

To quickly update the certificate and names of the Exchange Web Services, the iisreset on the Exchange 2013 servers will cause a slight outage.

Make sure you plan for this in your Exchange 2016 rollout. Let users know in advance to ignore the certificate warning which will be displayed after the first Exchange 2016 server is built. This will reduce the load on your companies service desk.

Wednesday, August 10, 2016

The local administrator account resides on every Windows Server and is usually in an enabled state. This account is a major security vulnerability and is commonly prone to hacking attempts.

Security flaws with this account include:

This account cannot be locked out and does not adhere to local or domain account lockout password policies. This allows brute force attacks to be conducted against the account.

The local administrator account is a well known SID, it always begins with S-1-5- and end with -500. There are also tools allowing you to login with a SID rather then an account name so an attacker could launch a brute force without knowing the account!

"The built-in Administrator account cannot be locked out no matter how many failed logons it accrues, which makes it a prime target for brute-force attacks that attempt to guess passwords. Also, this account has a well-known security identifier (SID), and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to log on. All other accounts that are members of the Administrator's group have the safeguard of locking out the account if the number of failed logons exceeds its configured maximum."

If security if your top concern, my recommendation is to disable this account and always create a new Administrator account regardless if it is the default domain Administrator account or default local Administrator account.

Wednesday, July 20, 2016

I was attempting to add a new DFSR node to an existing DFSR Replication Group consisting of 17 file servers. When adding the server the following error was experienced.

DFS Replication cannot replicate the replicated folder REPLICATEDFOLDER because the local path E:\replicationgroup is not the fully qualified path name of an existing, accessible local folder. This replicated folder is not replicating to or from this server. Event ID: 6404

This particular error is generally experienced when people attempt a non NTFS volume such as ReFS to a DFSR replication group as documented on the following forum.

In my case, I experienced this error with DFSR setup on NTFS volume on a new branch server.

The customer moved the DFSR node from one office, to another office. The C:\ "SYSTEM" volume was formatted and reloaded with a fresh copy of 2012 R2 with latest patches, however the E:\ "DATA" volume was not formatted. As a result it has its legacy DFSR Database, Staging data etc.

To clean up the staging data I created a new directory in C:\ called "empty":

C:\Empty

I then ran the following commands after stopping the DFSR Replication service on the spoke server:

Robocopy "C:\Empty" "E:\System Volume Information\DFSR" /MIR

Followed by

rmdir "E:\System Volume Information\DFSR"

Starting the DFSR replication service resulted in the error above.

After playing around a bit more, I found that in addition to flushing all data in System Volume Information\DFSR you must also remove the DfsrPrivate link which points to the System Volume Information\DFSR sub directory for DfsrPrivate data.

After doing this, starting the DFS Replication service kicks of its normal DFSR Initial Sync shown by a state of 2:

Since installing this update and removing this update, one of our spoke servers failed to replicate back to the primary hub server. All data from the spoke server replicated correctly to the hub, however data from the hub was not propagating down to the spoke.

Microsoft then disabled the following Offload features on the HP Network Interface card on the spoke server:

IPv4 Large Send Offload

Large Send Offload V2 (IPv4)

Large Send Offload V2 (IPv6)

TCP Connection Offload (IPv4)

TCP Connection Offload (IPv6)

TCP/UDP Checksum Offload (IPv4)

TCP/UDP Checksum Offload (IPv6)

After disabling these components of the network interface card and restarting the DFS Replication service, the backlog count from the hub server to the spoke server slowly started decreasing.

TCP offload engine is a function used in network interface cards (NIC) to offload processing of the entire TCP/IP stack to the network controller. By moving some or all of the processing to dedicated hardware, a TCP offload engine frees the system's main CPU for other tasks

SymptomsIf you installed update rollup 3156418 on Windows Server 2012 R2, the DFSRS.exe process may consume a high percentage CPU processing power (up to 100 percent). This may cause the DFSR service to become unresponsive to the point at which the service cannot be stopped. You must hard-boot affected computers to restart them.WorkaroundTo work around this problem, uninstall update rollup 3156418.StatusMicrosoft is aware of this problem and is working on a solution.

Make sure you do not install KB3156418 on any DFSR nodes until this issue has been fixed by Microsoft.

Wednesday, July 6, 2016

I encountered an interesting bug with Windows 7 workstations with Access Based Enumeration enabled on a SMB Share and DFS Namespace running on Windows Server 2012 R2.

When a user tries to create a file or folder under a location which they have "Full Modify Rights" in Windows Explorer they receive the following error:

Drive Mapping refers to a location that is unavailable. It could be a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet on your network, and then try again. If it still cannot be located, the information might have been moved to a different location.

This issue occurs under the following circumstances:

Access Based Enumeration is enabled on a Network Share or DFS Namespace

If a Mapped Network Drive is created to the Share

The user is connecting from a Windows 7 workstation.

The Windows 7 client works under the following circumstances:

If the user creates a file from an application such as Microsoft Word (not Windows Explorer) using a mapped network drive to the folder share, it works corrctly.

If the user opens the UNC Path of the share \\server\share\folder, not via the mapped network drive it works correctly.

Note: If the user connects from 2008 R2, Windows 8.1 or Windows 10 it connects without issues.

When setting up Access Based Enumeration, the root folder should have:

List Folder / Read Data

Applies to "This Folder Only"

This ensures that users have the rights to list all folders at the base level folder for Access Based Enumeration, but requires additional rights to all sub folders hence the folders "hidden" as expected.

The root level permissions are shown below. All sub folders are provided with full modify permissions for the respective security groups.

Wednesday, June 29, 2016

A customer of Avantgarde Technologies was having issues with IMAP4 on Exchange 2013. In Exchange 2013 the IMAP Role has changed and how has a "front end" and "backend role". This is shown by two services below.

The IMAP4 backend role listens on 127.0.0.1:143

If we telnet 127.0.0.1:143or "localhost" we hit the IMAP backend service.

If we telnet the server on any other IP address on TCP143 we hit the IMAP front end service.

This is what is confusing. By default the IMAP4 frontend proxy server component is disabled even if the service is started.

If you telnet the server on its local IP address as shown below.

You will simply get a blank Telnet screen which will automatically close the session seconds after.

This happens as the ImapProxy frontend is disabled by default on the Server Component State of the server.